FISA Section 702 Nears Expiry: Lawmakers Clash Over Americans’ Privacy vs. Surveillance Powers

A critical U.S. surveillance law, known as FISA Section 702, is set to expire next week, throwing Congress into a fierce debate over national security and the privacy rights of Americans. This law has long allowed intelligence agencies like the NSA and FBI to collect overseas communications without warrants—but it also sweeps up data on countless U.S. citizens.

As the April 20 deadline looms, a bipartisan group of lawmakers is pushing for major reforms to end warrantless surveillance of Americans. Meanwhile, the Trump administration and some Republicans want a simple extension without changes. The outcome will shape how the government monitors communications for years to come.

What Is FISA Section 702 and Why Does It Matter?

FISA Section 702 permits U.S. intelligence agencies to intercept foreign communications flowing through American networks. However, this bulk collection inevitably captures emails, phone logs, and other data from Americans who communicate with people overseas—all without a search warrant.

Privacy advocates argue that this practice violates the Fourth Amendment, which protects against unreasonable searches. The American Civil Liberties Union and other groups have long condemned the program as an overreach that infringes on civil liberties.

Lawmakers Divided Over Reauthorization and Reforms

On one side, the White House and some House Republicans favor a clean reauthorization of FISA Section 702, arguing it is essential for counterterrorism and foreign intelligence. President Trump recently signaled support for extending the law without amendments.

On the other side, a bipartisan coalition led by Senators Ron Wyden and Mike Lee introduced the Government Surveillance Reform Act. This bill aims to close the controversial “backdoor search” loophole, which allows agencies to search Americans’ communications without a warrant. It also seeks to ban the government from buying location data from data brokers—a practice FBI Director Kash Patel confirmed in a March hearing.

“Many lawmakers aren’t aware that multiple administrations have relied on a secret interpretation of Section 702 that directly affects Americans’ privacy,” Wyden warned. He has urged the government to declassify this information.

Representative Thomas Massie echoed these concerns after reviewing classified FISA documents, stating he would vote against reauthorization. “The Constitution requires I vote No,” he posted on X.

What Happens If FISA Section 702 Expires?

Even if the law expires on April 20, surveillance may not stop immediately. A legal quirk allows the Foreign Intelligence Surveillance Court to certify the government’s practices annually, effectively extending surveillance until March 2027 unless Congress actively intervenes.

Additionally, the government operates under Executive Order 12333, a secret presidential directive that governs much of the surveillance outside the U.S. and also captures Americans’ communications. This means privacy protections remain fragile regardless of Section 702’s fate.

Privacy Reforms Gain Momentum Amid Tech Advances

The debate comes as technology makes surveillance easier than ever. App developers collect vast amounts of location data, selling it to brokers who then supply governments. Both Republicans and Democrats reportedly want to close this loophole, which also complicates negotiations with AI companies like Anthropic and OpenAI.

Privacy groups including the Electronic Privacy Information Center and the Project on Government Oversight support the reform bill. However, its passage remains uncertain as Congress faces a tight deadline.

For more on how surveillance laws impact your digital life, check out our guide on protecting your privacy online. To understand the history of FISA, read our explainer on the Foreign Intelligence Surveillance Act.

In the end, the fight over FISA Section 702 is a battle between security and liberty. As lawmakers debate, Americans must ask: How much privacy are we willing to trade for safety?

Mailbox Rule Abuse: The Stealthy Post-Compromise Threat in Microsoft 365

Imagine an attacker quietly controlling your email inbox—deleting security alerts, forwarding sensitive messages, and hiding all traces of their activity. This is not a far-fetched scenario. Security researchers have uncovered a significant rise in mailbox rule abuse within Microsoft 365 environments, where cybercriminals leverage native email features to maintain access, exfiltrate data, and manipulate communications after compromising an account.

According to findings from Proofpoint, approximately 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access. These rules often use minimal or nonsensical names, making them easy to overlook. They are designed to delete emails or move them into rarely monitored folders like Archive or RSS Subscriptions, allowing attackers to operate under the radar.

How Attackers Exploit Microsoft 365 Mailbox Rules

Mailbox rules provide attackers with a powerful combination of automation and stealth. Once inside an account, they can silently control email flow while avoiding detection. By suppressing or redirecting messages, attackers reshape what victims see in their inbox, allowing fraudulent activity to continue unnoticed.

Common attacker objectives include:

• Forwarding sensitive emails to external accounts for data theft
• Hiding security alerts, password resets, and suspicious activity
• Intercepting and manipulating ongoing email conversations
• Maintaining access even after password changes

In practice, these tactics enable attackers to impersonate victims, hijack communication threads, and influence business transactions without triggering traditional security alerts. This form of mailbox rule abuse is particularly dangerous because it leverages legitimate functionality, making it hard for standard defenses to detect.

Real-World Impact and Persistence Risks

Several scenarios illustrate how mailbox rule abuse plays out in real attacks. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account, while rules were created to hide replies and warnings. This ensured the activity remained largely invisible to the victim.

In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads. These tactics are classic signs of business email compromise (BEC) attacks, which continue to plague organizations worldwide.

University environments have also been affected. Attackers frequently deploy blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness. One of the most concerning aspects is persistence: malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure.

Building on this, researchers note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method. This means that even organizations with robust security measures can fall victim to mailbox rule abuse if they do not monitor for such activity.

Defending Against Mailbox Rule Abuse

To defend against similar threats, Proofpoint suggests that organizations disable external auto-forwarding, enforce strong access controls including multi-factor authentication (MFA), and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions, and auditing account activity is also recommended.

For more insights on protecting your organization, check out our guide on business email compromise prevention and learn about Microsoft 365 security best practices.

In conclusion, mailbox rule abuse represents a stealthy post-compromise threat that every organization using Microsoft 365 should take seriously. By understanding how attackers exploit these features and implementing proactive defenses, you can reduce the risk of data breaches and financial losses.

Hackers Exploit Unpatched Windows Vulnerabilities After Security Researcher Publishes Exploit Code

Cybersecurity firm Huntress has confirmed that hackers are actively exploiting three Windows security flaws after a disgruntled researcher released exploit code online. The attacks have already breached at least one organization, according to the company’s findings shared on X.

The vulnerabilities, named BlueHammer, UnDefend, and RedSun, all target Microsoft’s Windows Defender antivirus software. Each flaw allows attackers to gain administrator-level access to affected Windows systems, posing a serious risk to enterprises and individuals alike.

What Are the Three Windows Security Flaws?

Of the three bugs, only BlueHammer has received a patch from Microsoft, which was rolled out earlier this week. The other two—UnDefend and RedSun—remain unpatched, leaving systems exposed.

The exploit code for all three vulnerabilities was published by a researcher known as Chaotic Eclipse. The researcher first posted code for an unpatched Windows flaw on their blog, citing a conflict with Microsoft’s Security Response Center (MSRC) as motivation. “I was not bluffing Microsoft and I’m doing it again,” they wrote, adding sarcastic thanks to MSRC leadership.

How Are Hackers Using These Exploits?

Huntress researchers observed that attackers are leveraging the published proof-of-concept code to launch attacks. John Hammond, a Huntress researcher tracking the case, told TechCrunch that the ready-made nature of the exploits accelerates the threat. “With these being so easily available now, and already weaponized for easy use, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” he said.

This scenario highlights the dangers of full disclosure, where researchers release exploit code after communication breakdowns with software vendors. When such code goes public, cybercriminals and state-sponsored hackers can quickly weaponize it, forcing defenders into a reactive race.

Microsoft’s Response and the Full Disclosure Debate

Microsoft responded to inquiries with a statement from communications director Ben Hope, emphasizing the company’s support for coordinated vulnerability disclosure. “We support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure,” he said.

However, the case underscores the tension between researchers and vendors. When negotiations fail, some researchers opt for full disclosure, publishing exploit code to pressure companies into action. This approach, while controversial, can expose critical flaws faster—but also arms malicious actors.

What Should Organizations Do Now?

For IT teams, the priority is applying the BlueHammer patch immediately and monitoring for signs of exploitation. Until Microsoft releases fixes for UnDefend and RedSun, administrators should consider additional security layers, such as endpoint detection and response tools.

Building on this, organizations can also review their cybersecurity best practices to strengthen defenses against zero-day exploits. Regularly updating software and restricting admin privileges are essential steps.

The Bigger Picture: A Growing Trend

This incident is not isolated. In recent years, similar full-disclosure events have led to widespread attacks, such as the EternalBlue exploit that fueled ransomware outbreaks. As researchers and vendors clash, the cybersecurity community must find a balance between transparency and safety.

Meanwhile, Huntress continues to monitor the situation. “Scenarios like these cause us to race with our adversaries; defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits,” Hammond added.

For now, the message is clear: unpatched Windows security flaws are a ticking time bomb, and the clock is ticking faster than ever.